No encryption on audio files – critical issue

  • hi
    This is a critical issue which hasn’t been resolved for a very long time.

    Unless I’m missing something here?…

    Since WP allows access to the attachment page in the media library to anyone who types in the correct URL, while this is not an issue with images, it is a BIG issue with audio files as they can be played/streamed from that page.

    To prevent unauthorised access, I allocate random names to my audio files before I upload them to the library. While this prevents hackers from accessing my audios by using the product name in the url (which most people do), the issue doesn’t end there.

    On the Product page, I can enter the audio title which “will be displayed to the buyer”. The title is not an issue.

    When a buyer downloads the purchased audio, the file shows its real name instead of encrypted name – for example, it shows MyLovelyAudio.mp3 instead of hh9&^%o#8.mp3.

    While one could argue that the buyer has already got the file so would not interested in hacking, there is a possibility for the file url to be intercepted or copied by someone else.

    My point is that the name of the audio file as it is being downloaded should always be encrypted.

    WP giving open access to the attachments URLs is a different issue. I can’t make that page private as it will not release the purchased audio for internet download. Or can I?

    Grateful for advice (re both issues).

    thanks

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Niels Lange

    (@nielslange)

    Hello @magicpowers,

    WooCommerce allows to define the access restrictions and the filename for downloadable products. You can find these settings on WooCommerce → Settings → Products → Downloadable products.

    On https://docs.woocommerce.com/document/digital-downloadable-product-handling/ you can find further information on how digital and downloadable products are handled in terms of security.

    When setting the permissions correctly, it’s not possible that someone else can download audio files from your site. Only the person that has purchased the file is able to download it.

    Thread Starter magicpowers

    (@magicpowers)

    hi @nielslange

    Thanks for your prompt reply.
    well, that’s what I thought should work.

    In Settings, I do have this option selected:
    FILE -Append a unique string to filename for security.

    but then it says:
    Not required if your download directory is protected.

    Why?

    I went to the referred article Protecting your uploads directory
    It says that I need to insert a configuration in wp-content.

    I don’t remember if I have inserted it, most likely not…:-) where exactly do I need to insert it? (sorry, I’m not a developer ??

    however, it looks like there are two independent security measures: protecting downloads directory AND appending a unique string to filename.

    So the issue is – regardless whether I have the uploads directory protected or not – the Append a unique string to filename for security is not working on my site as I have it selected yet no file is appended.

    now – when I hover the mouse over the file title in the downloads email – I can see a very long download URL string. However the actual mp3 file that downloads to my computer has its original name with nothing appended to it. I hope that appending a unique string to the file name is not that long url string, but it should be in the actual downloaded mp3 file.

    I tried to access the file on another device (where I am not logged in) using a standard downloads url with the file name which was revealed in the download – and without any problems I was able to listen to the recording.

    Grateful for your advice why the downloaded file name is NOT appended with a unique string in spite of this option being ticked in the settings.

    Plugin Contributor Niels Lange

    (@nielslange)

    Hello @magicpowers,

    When activating the option “Downloads require login” via WooCommerce → Settings → Products → Downloadable products it should not be possible to access the audio file from another device when you’re not logged into your account on your other device.

    If you’re still able to access the file, it’s possible that there might be a plugin conflict. Try disabling all of your plugins except WooCommerce. Try testing again to see if the issue persists. If that resolves your issue, try enabling each plugin one by one while continuing to test.

    Thread Starter magicpowers

    (@magicpowers)

    Hi @nielslange

    I can’t have this option on, as this would discourage most customers from buying my products. When there is too much hassle like must sign up etc people just move on. This is just one option, but not a requirment for the file appending with a UNIQUE string to work. This option is not for everyone.

    Appending the file option should work.

    I will test the plugin conflict on my testing site. I don’t feel that’s the issue. and even then – if I do find an offending plugin which I need as much as I need WC – what do I do then? And if I confirm there is no plugin conflict – what do I do then?

    Also, could you please advise (as your help article doesn’t specify this) – where exactly do I need to insert that configuration? If it’s in the server file, I won’t have access to it.

    Thread Starter magicpowers

    (@magicpowers)

    hi @nielslange

    I think I found the issue.

    When I downloaded the file to my computer, it showed with its original name.

    When I downloaded the file to my iphone, it opened a player. I emailed that page to myself so that I could download the file (there is not such an option in iphone) and the link in the email was a URL with a very long unique and random string. This looks like the appended file name through the settings option.

    However, when I clicked (in my email) on that link, a Save File window opened, I selected Save file and I got the mp3 file downloaded to my computer with its original name.

    So, it looks like this setting option appends the downlad url but NOT the actual file name of the downloaded file.

    Is this correct? if yes, how can I randomise the name of the mp3 file that is actually being downloaded?

    Without it, randomising the file url provides only a partial protection.

    thanks

    • This reply was modified 4 years, 3 months ago by magicpowers.
    Thread Starter magicpowers

    (@magicpowers)

    hi @nielslange

    could you please reply to my comments above – this is a serious issue that needs to be fixed.

    thanks

    Thread Starter magicpowers

    (@magicpowers)

    ok then, I will contact you directly.

    Thread Starter magicpowers

    (@magicpowers)

    @nielslange

    Due to your lack of response hence ignoring the serious security issue I have identified and raised on this forum – I submitted a ticket via your portal.

    Of course, it was deleted and I have never received ANY reply, not even a note – my ticket was simply and very rudely deleted. Nice attitude.

    The portal is referring free plugin users to THIS FORUM for support.

    Is this how you treat your customers? Hiding without any help or reply? Free or not free – this is your plugin and you have the responsibility to provide support on serious issues especially regarding the lack of security of downloads on YOUR PLUGIN.

    If you no longer provide support to the free users – please say so and I will get another ecommerce for my site.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘No encryption on audio files – critical issue’ is closed to new replies.